# {{ ansible_managed }}

{% block server_before %}{% endblock %}

server {
  {% block server_id -%}
  listen {{ ssl_enabled | ternary('[::]:443 ssl', '[::]:80') }};
  listen {{ ssl_enabled | ternary('443 ssl', '80') }};
  http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
  http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
  server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }};
  {% endblock %}

  {% block logs -%}
  access_log   {{ www_root }}/{{ item.key }}/logs/access.log main;
  error_log    {{ www_root }}/{{ item.key }}/logs/error.log;
  {% endblock %}

  {% block server_basic -%}
  root  {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/{{ item.value.public_path | default('web') }};
  index index.php index.htm index.html;
  add_header Fastcgi-Cache $upstream_cache_status;

  # Additional proxy header for WordPress (notably its Site Health check)
  add_header X-Cache-Enabled $loopback_header_x_cache_enabled;

  # Specify a charset
  charset utf-8;

  # Set the max body size equal to PHP's max POST size.
  client_max_body_size {{ php_post_max_size | default('25m') | lower }};

  {% if env == 'development' -%}
  # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#virtualbox
  sendfile off;

  {% endif -%}
  {% endblock -%}

  {% block cache_conditions -%}
  {% if fastcgi_cache_enabled -%}
  # Fastcgi cache conditions
  set $skip_cache 0;

  # Skip requests with HTTP methods that should not be cached: DELETE, OPTIONS, PATCH, POST, PUT
  if ($request_method !~ ^(GET|HEAD)$) {
    set $skip_cache 1;
  }

  if ($query_string != "") {
    set $skip_cache 1;
  }
  if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") {
    set $skip_cache 1;
  }
  if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") {
    set $skip_cache 1;
  }

  {% endif -%}
  {% endblock -%}

  {% block multisite_rewrites -%}
  {% if item.value.multisite.enabled | default(false) -%}
  # Multisite rewrites
  {% if item.value.multisite.subdomains | default(false) -%}
  rewrite ^/(wp-.*.php)$ /wp/$1 last;
  rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last;

  {% else -%}
  if (!-e $request_filename) {
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
    rewrite ^(/[^/]+)?(/wp-.*) /wp$2 last;
    rewrite ^(/[^/]+)?(/.*\.php) /wp$2 last;
  }

  {% endif -%}
  {% endif -%}
  {% endblock -%}

  {% block https -%}
  {% if ssl_enabled -%}
  # SSL configuration
  include h5bp/directive-only/ssl.conf;

  ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

  {% if item.value.ssl.provider | default('manual') != 'self-signed' -%}
  add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('equalto', omit) | join('; ') | trim }}";
  {% endif -%}

  {% if item.value.ssl.client_cert_url is defined -%}
  ssl_verify_client       on;
  ssl_client_certificate  {{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt;
  {% endif -%}

  {% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%}
  ssl_certificate         {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }};
  ssl_certificate_key     {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }};

  {% elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%}
  ssl_certificate         {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-bundled.cert;
  ssl_certificate_key     {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key;

  {% elif item.value.ssl.provider | default('manual') == 'self-signed' -%}
  ssl_certificate         {{ nginx_path }}/ssl/{{ item.key }}.cert;
  ssl_trusted_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert;
  ssl_certificate_key     {{ nginx_path }}/ssl/{{ item.key }}.key;

  {% endif -%}
  {% endif -%}
  {% endblock -%}

  {% block acme_challenge -%}
  include acme-challenge-location.conf;

  {% endblock -%}

  {% block includes_d -%}
  include includes.d/all/*.conf;
  include includes.d/{{ item.key }}/*.conf;

  {% endblock -%}

  {% block location_uploads_php -%}
  # Prevent PHP scripts from being executed inside the uploads folder.
  location ~* /{{ item.value.upload_path | default('app/uploads') }}/.*\.php$ {
    deny all;
  }
  {% endblock %}

  {% block blade_twig_templates -%}
  # Prevent Blade and Twig templates from being accessed directly.
  location ~* \.(blade\.php|twig)$ {
    deny all;
  }
  {% endblock %}

  {% block dependency_managers -%}
  # composer
  location ~* composer\.(json|lock)$ {
    deny all;
  }

  location ~* composer/installed\.json$ {
    deny all;
  }

  location ~* auth\.json$ {
    deny all;
  }

  # npm
  location ~* package(-lock)?\.json$ {
    deny all;
  }

  # yarn
  location ~* yarn\.lock$ {
    deny all;
  }

  # bundler
  location ~* Gemfile(\.lock)?$ {
    deny all;
  }

  location ~* gems\.(rb|locked)?$ {
    deny all;
  }
  {% endblock %}

  {% block location_primary -%}
  location / {
    try_files $uri $uri/ /index.php?$args;
  }
  {% endblock %}

  {% block disable_xmlrpc -%}
    {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %}
      location ~* xmlrpc\.php$ {
        return 444;
      }
    {% endif %}
  {% endblock %}

  {% block h5bp -%}
  {% if h5bp_cache_file_descriptors_enabled -%}
  include h5bp/directive-only/cache-file-descriptors.conf;
  {% endif -%}

  {% if h5bp_extra_security_enabled -%}
  include h5bp/directive-only/extra-security.conf;
  {% endif -%}

  {% if h5bp_no_transform_enabled -%}
  include h5bp/directive-only/no-transform.conf;
  {% endif -%}

  {% if h5bp_x_ua_compatible_enabled -%}
  include h5bp/directive-only/x-ua-compatible.conf;
  {% endif -%}

  {% if h5bp_cache_busting_enabled -%}
  include h5bp/location/cache-busting.conf;
  {% endif -%}

  {% if h5bp_cross_domain_fonts_enabled -%}
  include h5bp/directive-only/cross-origin-requests.conf;
  {% endif -%}

  {% if h5bp_expires_enabled -%}
  expires $expires;
  {% endif -%}

  {% if h5bp_protect_system_files_enabled -%}
  include h5bp/location/protect-system-files.conf;
  {% endif -%}

  {% endblock %}

  {% block embed_security -%}
  {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%}
  add_header Content-Security-Policy "frame-ancestors 'self'" always;
  add_header X-Frame-Options SAMEORIGIN always;
  {% endif -%}
  {% endblock -%}

  {% block robots_tag_header -%}
  {% if robots_tag_header_enabled -%}
  # Prevent search engines from indexing non-production environments
  add_header X-Robots-Tag "noindex, nofollow" always;

  {% endif -%}
  {% endblock -%}

  {% block location_php -%}
  location ~ \.php$ {
    {% block location_php_basic -%}
    try_files $uri /index.php;

    {% endblock -%}

    {% block cache_config -%}
    {% if fastcgi_cache_enabled -%}
    # Fastcgi cache settings
    fastcgi_cache wordpress;
    fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }};
    fastcgi_cache_bypass $skip_cache;
    fastcgi_no_cache $skip_cache;
    fastcgi_cache_background_update {{ item.value.cache.background_update | default(nginx_cache_background_update) }};

    {% endif -%}
    {% endblock -%}

    {% block fastcgi_basic -%}
    include fastcgi_params;
    fastcgi_param SERVER_NAME $host;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
    fastcgi_pass unix:/var/run/php-fpm-wordpress.sock;
    {%- endblock %}

  }
  {%- endblock %}

}

{% block redirects_https %}
{% if ssl_enabled %}
# Redirect to https
server {
  listen [::]:80;
  listen 80;
  server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }};

  {{ self.acme_challenge() -}}

  {{ self.includes_d() -}}

  location / {
    return 301 https://$host$request_uri;
  }
}

{% endif %}
{% endblock -%}

{%- block redirects_domains %}
{% if site_hosts_redirects | default([]) | count %}
# Redirect some domains
{% endif %}
{% for host in item.value.site_hosts if host.redirects | default([]) %}
server {
  {% if ssl_enabled -%}
  listen [::]:443 ssl;
  listen 443 ssl;
  {% endif -%}
  listen [::]:80;
  listen 80;
  http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
  http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
  server_name {{ host.redirects | join(' ') }};

  {{ self.https() -}}

  {{ self.acme_challenge() -}}

  {{ self.includes_d() -}}

  location / {
    return 301 {{ ssl_enabled | ternary('https', 'http') }}://{{ host.canonical }}$request_uri;
  }
}
{% endfor %}
{% endblock %}
